Dotting the "i"s in Identity

Monthly Archives: March 2010

Lilian Edwards (well, her Pangloss persona, anyway) offers another characteristically trenchant analysis here of the shocking mess that is the Digital Economy Bill. The DEBill* appears to be yet another in the growing list of legislative measures in which the Bill is drafted so as to confer disproportionate powers, while we are assured by the sponsoring Minister‡ that they will either never be used, or be used only for good.

Unfortunately both principle and practice tell us that that is simply not believable. Principle, because if the intent of the law is not clear in the legislation itself (but must be set out in some other entirely non-statutory document, such as an “open letter” from the Minister) the legislation is clearly deficient; and practice, because we have ample evidence that such assurances are seldom worth the open letter they are printed on. Once the Bill is enacted, the powers it confers will be used, whether or not their use is appropriate, proportionate, or even – in some cases – unlawful under other supervening provisions such as the Human Rights Act. It’s as simple as that.

Or the many documented instances of the inappropriate use of RIPA (Regulation of Investigative Powers Act) to gather evidence of, say, fly-tipping or dogs pooing on the pavement…

Or the officious use of SOCPA (Serious Organised Crime [sic] and Police Act)to arrest a lone man for reading out a list of Iraq war fatalities in front of the Cenotaph without police permission…

Or the pre-emptive (and presumptive) detention of people based on what they might do, not on what they are doing or have done…

… and so on, and on, and on.

The DEBill is wrong on almost every level.

It contains measures which actively inhibit or damage the prospects of a viable digital economy, while failing to legislate in areas which might contribute to one: for example, it will actively discourage the provision of internet access in places like libraries, schools and universities, but it has absolutely nothing to say on the topic of, say, a smart grid for consumer energy usage.

It enshrines measures which undermine or over-ride due process. For instance, it will allow commercial companies to force the disconnection of households, businesses and other organisations without going to court, and regardless of who (if anyone) within those households, businesses or organisations has or has not committed what the DEBill defines as an offence. In my case, for example, that could mean that I was cut off from my ability to earn a living because of untested and unproven allegations – against someone else – by a third party.

It actively discriminates against, for instance, individuals who upload photographs to sharing sites such as Flickr – making it possible for third parties to exploit such materialson payment of a fee to the UK government. Not only is this manifestly unfair, it reflects a fundamental misunderstanding of how the internet works… let me take a moment to explain why I say that.

I want to upload photos to Flickr so that other can see them, but I don’t necessarily want to publish my identity along with the photos… so I have a pseudonymous account. Flickr has my true details, of course, but there is no reason for those to appear alongside my photos. If I use Flickr’s Creative Commons options to specify, for instance, that my photos may not be re-used in any way, that ought to be as far as I need to go. There is no need for a third party to establish who I am, because I have made clear my preference for my photos not to be re-used.

However, the DEBill, as drafted, would entitle such a third party to claim that my photos were orphan works (because the “copyright holder” could not be identified). That third party could then apply for permission to exploit my photographs – not to me, but to the government. The fee for that permission would go, not to me, but to the government. Anyone see an issue with this? Thought not.

The DEBill is wrong at the meta-level, too. Not only does the Bill itself enshrine evasions of due process (as described above), it is also about to be pushed through Parliament without debate, as part of the inappropriately-named “wash-up” process in the closing days of the legislative session.

On April 6th, the Bill will be given its second reading and then become a bargaining chip in an unaccountable and undemocratic haggling session amongst MPs whose chances of forming part of the next legislature are entirely uncertain.

I urge you to let your MP know that you object to the Bill and its passage through Parliament.

* And as I have noted on Twitter, that name must have our Francophone colleagues rolling in the aisles… “débile” being French slang for “nuts/crazy/daft”…

‡In this case, reassuringly, that is Lord Mandelson, Baron of Foy in the County of Herefordshire and of Hartlepool in the County of Durham; First Secretary of State; Secretary of State for Business, Innovation and Skills; President of the Board of Trade; Lord President of the Council.

Transport secretary Lord Adonis is quoted as saying that exempting children from the ‘naked’ scanners at airports would risk undermining the security measures.

I have a number of issues with that assertion.

One is to wonder, in passing, why a decision of that nature (which seems to me to be far more about social ethics than about transportation) should fall to the transport secretary.

The other, contrary to what you might expect, is not about whether capturing such images of children is in itself appropriate. Rather, I question the longer-term effects of adopting this approach.

Once, as a child, I was on a flight from the UK to the Middle East when it made an unexpected landing at a major European airport because of a technical fault. While the airline investigated what he problem was and how to fix it, we were all transferred off the plane and into a transit lounge. At no stage was there any suggestion that we would be allowed anywhere other than the transit areas of the terminal. Despite that, I was given a full and thorough pat-down by a security officer on reaching the building from the plane. At the time, I was irritated – it seemed to me to be an unnecessary and entirely gratuitous measure.

As you can tell, it stuck in my mind. Over time, my feeling of irritation has been replaced by one of wondering why on earth I was singled out, and whether there was some motivation other than security. That’s not a pleasant feeling, even in retrospect, but it does highlight, for me, one foreseeable but probably unintended consequence of the ‘naked scanner’ policy.

At least, in my case, there was something which served to remind me that something untoward might, conceivably have happened. In the current context, we will be educating a cohort of children to submit themselves to potentially intrusive and inappropriate procedures which – to all intents and purposes “don’t happen” – a four-year-old child, say, will simply think they have been told to stand in a small room for a moment.

Then again,to pre-empt the likely comment from Richard Veryard – maybe that is the purpose of the system (POSIWID).

I noticed some Twitter correspondents prefixing their messages with “.@username” rather than plain “@username”, and having been unable to find an explanation online anywhere, did the sensible thing and asked via Twitter…

I got several responses, which mostly tallied with each other (!), and with any luck I have worked out what the deal is. The only clear way I could think of to express it was (and Eve will be so happy)… a Venn diagram. Here you go.

So – if I have got it right:

D username: visible only to the sender and recipient;.@username: visible to the sender, sender’s followers and the recipient;@username: visible to the sender, recipient, and the intersection of their followers.

[Post updated, 16/3/2010]

A further note: as usefully pointed out by NishantK (see comments below), unless you have set your twitter stream to be private and non-searchable, of the three types of message above, only D(irect) messages do not appear in your profile page and search results.

In general, I still have two issues with this at the design level:

1 – When a humble full stop can make such a subtle syntactical difference, is it any wonder we find it hard to grasp how to manage our online personas effectively?

2 – I started out by being frustrated at why searching for “.@” didn’t produce any useful help with definitions; I graduated to exasperation when I learned that the “.” is actually arbitrary, and any other character would have the same effect. Is it just me, or is that really daft? It means there is, essentially, no practical way either to index or to search for information about a Twitter function which makes a difference…

I spent some time trying to think of a good word for “arbitrary, un-documentable feature” – but the only one I could come up with was “bug”.

Something is rotten, it would seem, at the heart of copyright legislation.

Otto von Bismarck definitely had a point when he remarked (allegedly, at least), that “the less people know about how laws and sausages are made, the easier they sleep at night”. That said, if there are unnatural acts being committed in either process, there must be a point at which it’s better to know than not to know.

This article, by Bill Thompson, rightly highlights the dangers of allowing copyright law to degenerate into an unregulated mess, devoid of due process and subject to partisan abuse. That far I agree with him. However, I disagree that the best response is to re-draft the law so that it redresses the balance in favour of the data consumer, as opposed to the copyright holder.

The problem with that approach is that we are all, increasingly, publishers of data and (ideally) copyright-holders… of the information we disclose about ourselves. In fact, I have often made the comment that the rights which so irritate us when they are officiously enforced by media pubishers, are exactly those rights which we would dearly love to be able to enforce when they relate to our personal information. If the laws are to be re-drafted, the aim should not be to rebalance the rights of data consumers and data publishers per se… but to ensure that the rights currently accorded to the ‘traditional’ holders of copyright are extended to all of us.

In other words, it’s time that the laws on publishing were extended to protect all those who publish, and not just those who published before Web 2.0 came along.

Unfortunately, if we adopt Bismarck’s attitude to the law-making process, instances such as the international Anti-Counterfeiting Trade Agreement (ACTA) and the UK Digital Economy Bill (DEBill) make one thing quite clear: if you wait until the process has finished before worrying about the result, it will be too late.

Knowing how Eve loves a Venn diagram, I thought this was the best way to gauge interest in my new line of badges. Plus, I wouldn’t want you to think I had launched a new product without doing a thorough market segmentation exercise first. So here it is, fresh from the back of the envelope…

The back-story is here, on Eve’s blog. It occurred to her (and who am I to argue?), that a healthy mind-set for data sharing these days is not to try and prevent it ever happening, but to work on ways of ensuring that it only happens with the consent of the data subject. That in turn put her in mind of Luc Besson’s “The 5th Element” [Ian Holm, Milla Jovovich, Bruce Willis].

Hence the new line of badges – based on Leeloo’s reaction when unexpectedly kissed: “ecto gammat!”, meaning “never without permission!”. It’s not that it can never happen… it had just better be with prior consent.

Over on the Hawktalk blog, Chris Pounder has a characteristically incisive analysis of some of the privacy problems which arise out of the deployment of biometric passports. If you don’t follow Hawktalk already, I’d recommend it. In the meantime, here’s a copy of the comment I’ve added on Chris’ post, setting out some of the further implications.

In many of the early discussions about the NIS/NIR[1] it was just noted, as an “inconvenient side-effect” of biometric enrolment, that individuals who legitimately need an assumed ID (intelligence officers, undercover police officers, endangered witnesses, victims of domestic abuse) would need to be specially handled by the NIR. The implication was that the NIR would (need to) be designed so as to allow an alias to be registered against a given biometric record.

However, the Dubai episode reveals that this initial analysis is flawed and does not fully reflect the risk involved.

It is one thing for the NIR to be able to respond as if a valid alias were a real ID – unfortunately, that’s not the only valid use-case… as Dubai clearly illustrates. In practice, suppose my passport says that I am Oscar Wilde, and my biometric is registered against the name “Oscar Wilde” in the NIR; I may well have travelled to the States several times, for instance, and their immigration systems will have registered my fingerprints and facial biometric against the name “Oscar Wilde”.

But imagine I then have to adopt a (legitimate) alias:

my NIR entry is changed to associate my biometric with the name “William Gladstone”;

I’m issued with a new, valid passport in the name of William Gladstone.

How the hell am I going to explain that to a US immigration official, whose database (totally beyond the control of the NIR) clearly shows that my biometrics belong to “Oscar Wilde”, not “William Gladstone”?

To put it more simply: once a foreign government has linked your biometric with one name, the fact that the NIR links it with a different name is likely to do you more harm than good.

This will clearly be both inconvenient and possibly dangerous for intelligence officers, but it also raises serious safety, privacy and practical concerns for, say, victims of domestic abuse or jury-tampering, who may be obliged to disclose that fact (quite unnecessarily) just in order to cross a frontier. If they are doing so in order to begin a new life away from the source of the abuse, that is not a happy start to the process…

Just to put the icing on the cake, of course, a likely perverse consequence of this is that suspicious foreign governments will start to assume the worst of anyone explaining that their Id/biometric don’t match because they’re a fleeing victim of domestic abuse – simply because that’s the easiest way for travelling spooks to game the system.

Post navigation

Search for:

Please note:

This blog contains a mixture of "personal" and "work-related" posts, if you choose to make that distinction. None of the opinions expressed should be taken to represent either the views or policies of my employer.